Posted on

GDPR bites and mail bounces back

It’s been less than three months now since the GDPR came into force. We look at what has happened to organisations caught out by GDPR, what you can do to comply, and some surprising trends with businesses cashing in on its implementation across the EU.

The GDPR is actually good news, coming into being as a response to unscrupulous marketing and data analysis firms  harvesting and selling user data and distributing and spamming EU citizens with unprompted emails, mail and phone calls, without explicit user consent.

  • The General Data Protection Regulation came in 25th May 2018
  • EU wide Data Protection Rules that streamline the way all personal data, of all types, is stored and handled across all EU member states
  • In force in European Union (EU) & European Economic Area (EEA)
  • Addresses the export of personal data outside the EU and EEA

Previous UK data laws, the Data Protection Act 1998 (DPA) and EU Data Protection Directive, didn’t really have much in the way of fines for infringement. In drafting the GDPR, the EU recognised that it needed much stronger legal ‘teeth’, and financial penalties for non-compliance have changed radically with the GDPR, now enshrined in the UK’s own Data Protection Act 2018.

“Fines can be invoked of up to 20 million Euros or 4% of organisation total global turnover, whichever is the greater.”

How does GDPR work to benefit EU citizens?

Let’s take an example. If Joe Bloggs opens an unsolicited email from you that he objects to and hasn’t opted in to receive, he could report you under GDPR regulations. That’s a similar situation as before, but the difference under the GDPR is that far more power now resides with each citizen inside the EU on how their personal data can be stored, handled and processed . The enterprise sending Joe the email is liable for a caution or a fine under GDPR legislation.

In another example, Joe hears in the news that the EU based online dating site he has signed up to has been hacked, and that his personal data may have been stolen. Under the GDPR this report likely hit the news because all enterprises must report any data breach of user data within 72 hours, if they are likely to have an adverse effect on user privacy. Again, the enterprise handling Joe’s data may be cautioned or fined.

What are the fines so far for GDPR breaches?

It was initially thought that the approach of authorities monitoring GDPR compliance would be as it has been in the past, which was to ensure you’re at least working on compliance, and to gently push you in the right direction, rather than impose big fines at the outset.

That’s why everyone is watching the Dixons Carphone data breach reported in June. Even though the breach happened before GDPR came into effect, the data breach was later discovered to have affected a lot more personal records than initially thought. Under previous data protection rules the maximum imposable fine would have been £500,000, whereas under the new GDPA Dixons Carphone could face fines of up to £17.6m (€20m).

The Information Commissioner’s Office, in charge in the UK of looking into GDPR compliance related to data breaches said:

“Dixons Carphone reported a data breach to the ICO in June. The company has now confirmed that the incident affected the personal data of 10 million records, which is significantly higher than initially stated. Our investigation into the incident is ongoing and we will take time to assess this new information. In the meantime, we would expect the company to alert all those affected in the UK as soon as possible and to take all steps necessary to reduce any potential harm to consumers. We will look at when the incident happened and when it was discovered as part of our work and this will inform whether it is dealt with under the 1998 or 2018 Data Protection Acts.”

The market reacted predictably to the news, with Dixon’s shares having fallen almost 8% since mid June.

But it’s not just about organisations directly hit by data breaches under GDPR regulations. Just ten days after the GDPR came into force, some companies felt the pinch of its effects on their future business. Publisher Johnston Press was one of the first media organisations to take a GDPR related hit, after the group at their June AGM cited the impact of more onerous European privacy restrictions as a contributory factor to a decline in their digital ad revenues. Their overall revenues fell 9% over the first half year.

Apart from the large potential fines, the requirement to disclose any user data breach is a key aspect for all organisations handling data, and where the GDPR is aided in ensuring it has a good chance of getting taken seriously and implemented right across the EU.

What’s ‘personal data’ and who needs to comply with GDPR?

Whilst GDPR requirements might appear onerous for many businesses, it conveniently provides just one set of regulations to comply with. Before GDPR, there were actually 28 sets of rules in place in different EU countries regarding personal data.

The GDPR contains provisions and requirements relating to processing of personally identifiable information (personal data) of individuals inside the European Union. It applies to the processing of the personal data of any person inside the EU by any enterprise established in the EU, regardless of the data subjects’ citizenship, and regardless of the enterprise’s location or even its size.

The GDPR applies as much to sole traders as it does to large corporates. Controllers of personal data within any enterprise must put in place appropriate technical and organisational measures to implement the GDPR data protection principles.

The GDPR assumes data protection by design and by default, which means each process handling personal data must be designed and built with consideration of GDPR principles, as well as providing safeguards to protect that data. For example, ideally all user data should be anonymised, as well as having the highest-possible privacy settings by default. This means that the user data is secure and not available publicly without explicit, informed consent, and cannot be used to identify a subject without additional information stored separately.

The GDPR also says no personal data may be processed unless it is done under a lawful basis specified by the regulation, or unless the enterprises’ data controller or processor has received an unambiguous and individualised affirmation of consent from the data subject. Any person in the UE or EEA (data subject) also has the right to revoke this consent at any time in the future.

Any processor of personal data must clearly disclose any data that has been collected, declare the lawful basis and purpose for the data processing, and state how long the data is being retained, and also if it is being shared with any third parties or outside of the EU.

Data subjects have the right to request a portable copy of the data collected by a processor in a common format, and the right to have their data erased under certain circumstances. All public authorities, and businesses whose core activities centre around regular or systematic processing of personal data, are required to employ a data protection officer (DPO). The DPO is directly responsible for managing compliance with the GDPR. Matthew Lea, Data Protection Expert, Herrington Carmichael Solicitors, said:

“Where you collect personal data of an individual, you are required to provide information such as who you are, how you can be contacted, details of your organisation’s Data Protection Officer (DPO) if you have appointed one, why you are processing their personal data, who you are sending it to, and if you are transferring their data abroad. You also need to provide information on their rights as data subjects, and say how long you intend to keep their personal data for.”

The six legal grounds for data processing under GDPR
  1. Consent has been given by the data subject
  2. Processing is necessary for the performance of a contract with the data subject, or to take steps to enter into a contract
  3. Processing is necessary for compliance with a legal obligation
  4. Processing is necessary to protect the vital interests of a data subject or another person
  5. Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  6. Necessary for the purposes of ‘legitimate interests’ pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject.

Regarding point 6, you may be OK if you hold and process user data based on ‘legitimate interest’. To see whether this is the case with your data the best way is to assess this using ICO guidance – click here.

What do you need to do to get GDPR compliant?

There are many aspects of business that you need to look at. Most UK organisations have a website and user or customer specific data of some type stored somewhere, whether website or email newsletter registrations, or user data in financial, telephone, email, CRM, sales or marketing systems. Basically anything than can identify a user.

The simple first things you can do relate to your website and any user data you hold. Your website privacy notice can be amended to indicate how your organisation complies with GDPR requirements, as well as the text that goes with websites forms used to collect personal data, such as the ‘Contact us’ forms that many websites have. Another recommendation is to mention that you hold and manage user data in a GDPR compliant way.

You could do this by adding a link to your website privacy notice in your organisation’s standard email footer, which ensures all the people you communicate with directly have access to it.

Here’s a more detailed list of things to be fully GDPR compliant:

  1. Inform your organisation internally about GDPR
  2. Website privacy notice – create or update your page(s)
  3. Cookies – sort out your website cookie control and policy
  4. Forms – update client enquiry, email news and lead capture
  5. Records – record the user ‘opt-in’ process
  6. Campaign pages – GDPR compliant landing pages
  7. Improve your security around all your user data
  8. Consider GDPR compliance software and data insurance

Cashing in on GDPR

On the flip side, companies are also legitimately capitalising on the GDPR, sometimes in surprising and interesting areas.

Confidential waste specialist Russell Richardson has geared up to make life easier for businesses beefing up their data protection processes in line with GDPR. As shredding, archiving and recycling experts, they brought in a  multi-tasking mobile shredding truck which they have taken out on the road. Their massive mobile shredder can deal with up to 2.5 tonnes of confidential paperwork an hour at a client’s premises, and can destroy data-packed computer hard drives, CDs and memory sticks in seconds.

“Some companies used to throw whole computers in a skip with the hard-drive still in place. Now GDPR has imposed tighter rules, we scaled up to help companies who have to take extra care of their data. We’re seeing an increase in customers who prefer to witness on-site the certified destruction of data stored on computers and tech devices.”

Most enterprises with big customer and partner email databases have sent out individual special ‘opt-in’ emails to all of their users, to make sure they are GDPR compliant. Other smaller companies have just ditched their email or CRM contact databases, deciding that filtering them all for GDPR compliance is just not worth the hassle, or that continuing to send emails out to their whole contact database is now just too risky.

One interesting aspect of GDPR relates to mail, which may have an advantage versus electronic communications in meet conditions for what the GDPR calls ‘legitimate interest’. In this case you don’t need specific user consent for future postal marketing. This means that, despite higher mail costs versus email and electronic communication, many enterprises are now seriously reconsidering the option to post selected information direct to their customers.

Direct mail and print companies are also beginning to benefit from GDPR for the same reason and, after decades of decline in mail volumes and as we don’t now get much mail, it is likely to become very attractive to marketers to use mail to gain awareness of company products and services to customers.

Conclusion

The bottom line is that the GDPR is here to stay, and isn’t going to go away. “What about Brexit?” you might ask. Well, even though the UK voted to leave the EU, the Government decided we would still comply with the GDPR, and you have to follow the regulations.

So, instead of hoping to get around it, if you really haven’t yet got to grips with your obligations under the GDPR, see it for what it is. An opportunity to tidy up all of your customer data and mailing lists, consolidate them all into one secure system or location, and to implement systems and processes to ensure that all of your data related to individuals is stored, managed and processed in line with GDPR requirements.

The good news is GDPR means a lot of the spam emails and unsolicited calls and mail you used to get will disappear. You’ll also likely start getting targeted mail through the letterbox too, that is better designed, more interesting and useful to its recipients. As this happens, consumer confidence in communications from organisations will steadily rise, email open rates and click rates will improve and mail response will increase, as people only receiving information and offers from the companies they like and trust.

That can only mean that being part of the GDPR solution, rather than against it, is good news for future business communication.

Posted on

Is Britain really still great for business?

GET Consultants looks at the prospects for High Growth Small Businesses (HGSBs) and what might happen at Brexit point, barriers for growth for HGSBs, and what these businesses can do to offset risks to their future survival.

There’s a commonly held maxim that only one in five small businesses set up in Britain will survive five years, but the truth is a lot more complicated than that. It really does depend on how big you are already, what sector you’re operating in, where in the UK you are doing business and the plans you have to survive, transform and grow.

High Growth Small Businesses (HGSBs)

Octopus has produced three HGSB reports over the last few years, highlighting the importance of these businesses to the UK economy. HGSBs have more than 20% annual average growth over a three-year period and an annual turnover of between £1 million and £20 million. Whilst they make up less than 4% of the UK’s total GVA (Gross Value Added), HGSBs made a far more significant contribution, accounting for 22% of Britain’s overall growth between 2005 and 2006.

HGSB contribution to the UK economy:

  • They see value in training, with 84% funding training for at least one member of staff over the last 12 months
  • Only 1% of UK businesses, yet account for 3% of UK total jobs in 2016 (22,074 out of 5.6 million companies)
  • HGSBs created an average of just over 3,030 new jobs every week, around 20% of the jobs created in the UK
  • 74% of HGSBs surveyed feel confident in their economic prospects over the next year versus last year

What will Brexit mean for HGSBs?

There is a constant battle for a share of consumer revenue and profit from HGSB companies that deliver products and services, with the evolution of new technology changing the business landscape ever faster. Whilst business finance, trade deals, skilled labour and resources are the fighting ground of European and global politicians, they are also the lifeblood of most businesses which require access to all of these to grow and transform for future success.

The biggest challenge post Brexit is likely to be a skills shortage. Almost two thirds of HGSBs surveyed by Octopus consider finding talent and skills shortages to be an important or very important constraint on their business growth.

41% of HGSBs surveyed also consider skills shortages to be the policy area where UK Government action could make the biggest difference for their businesses. 90% of HGSBs say that they face some form of skills shortages. This is even more remarkable when placed in the context of the UK average of just 17% of companies that say they have a skills gaps or skill shortages vacancies. This means that, whatever deal the government delivers for the UK outside of the EU, sufficient skills and resources for continued growth will be paramount.

Barriers to growth – the need for change in business thinking

The 2016 Coast to Capital report, on businesses in the triangle from Chichester to Newhaven to Croydon, identified specific barriers that are concerning for the scale-up and growth of UK medium sized businesses in key sectors.

The reasons for business growth limitations fall into broad categories of three ‘C’s

  • Customers – both online and offline sales and marketing to create new local UK and overseas buyers
  • Capacity – Room to grow including factories, office space, warehousing and overseas premises
  • Cash – easy access to the type of finance at affordable interest rates to ensure growth when it is required

Based on the 2018 Octopus report one in three of HGSB companies there are also growth barriers outside of Brexit, customers, capacity and finance, issues that are specifically related to infrastructure of a range of types.

  • One in three HGSBs considers digital infrastructure to be a primary constraint on their business growth
  • 53% of HGSBs in London say poor transport links with other regions is a hindrance to their business and something that the Government could do more to alleviate.
  • 69% of HGSBs consider the UK Government’s Digital Communications infrastructure programme (as described in the Industrial Strategy Green Paper) to be “important” or “very important” to their business.

Conclusion

Every medium sized business needs a strategy for growth. Simply subsisting is no longer an option – just look at what is happening to the UK high street as consumers move to even more online purchasing.

Every business owner owes their staff the time and energy and focus to work out how they can best grow, thrive and survive. And that means sometimes getting out of the day-to-day office environment and regular comfort zone and confronting some of the toughest challenges that face British business – future skills, effective use of technology, new customers and finance.

GET Consultants is holding a series of Scale Up Labs to help High Growth Small Businesses to transform and grow and avoid some of the pitfalls and barriers to long term and efficient growth.  Click for details